Listen to this Post
How the CVE Works:
CVE-2025-29427 is a stored XSS vulnerability in Code-projects Online Class and Exam Scheduling System V1.0. The flaw exists in profile.php, where user-supplied input in the `member_first` and `member_last` parameters is improperly sanitized before being rendered in the browser. An attacker can inject malicious JavaScript payloads into these fields, which are then executed when an admin or other user views the profile. This allows session hijacking, defacement, or unauthorized actions under the victim’s credentials.
DailyCVE Form:
Platform: Code-projects Online Scheduling
Version: V1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 03/28/2025
What Undercode Say:
Exploitation:
1. Craft a malicious payload:
<script>alert(document.cookie)</script>
2. Submit via `profile.php` parameters:
POST /profile.php HTTP/1.1 member_first=<script>payload</script>&member_last=attack
Mitigation:
1. Sanitize inputs:
$clean_input = htmlspecialchars($_POST[bash], ENT_QUOTES, 'UTF-8');
2. Implement CSP headers:
Header set Content-Security-Policy "default-src 'self'"
Detection:
1. Scan with SQLMap (XSS mode):
sqlmap -u "http://target/profile.php" --forms --crawl=1 --risk=3 --level=5
2. Manual testing with Burp Suite:
GET /profile.php?member_first=<img src=x onerror=alert(1)>
Log Analysis:
Check Apache logs for suspicious inputs:
grep -E "member_first=|member_last=" /var/log/apache2/access.log
Patch:
Update to the latest version or apply input validation:
if (preg_match('/<script>/i', $_POST[bash])) {
die("Invalid input");
}
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-29427
Extra Source Hub:
Undercode
